This is a post from January 2010, replayed here to make it more accessible.
If you follow security news, you will have seen stories about Twitter and its banned password list, 370-odd passwords which Twitter has embedded in the source code of its registration page so that if you try to use them, it can say that they are "too obvious". Here's one such story. And here's the original source.
As it happens, I spent some of last week reading lists of common passwords (if this sounds grim to you, you should realize that I also spent a noticeable portion of last week reading spam, so you know, after all those misspelled drugs, common passwords were looking good). As a result, the list looked oddly familiar as soon as I saw it. It's "The 500 Worst Passwords of All Time" from Mark Burnett's book Perfect Passwords. You'll find it under that name all over the net, sometimes with proper attribution, and sometimes without.
The Twitter list isn't identical. For one thing, it's shorter, mostly by the removal of passwords under 6 characters; for another, it includes more duplicates (the original list includes "0" twice, probably a formatting error for "000000" and "00000000"). There are some other additions, like "twitter" and "abcdef", probably signs that another list was added in.
You may ask how I KNOW it's the same list. After all, maybe those really ARE the 500 worst passwords of all time, and Twitter came up with them independently, but if that's the case, it's a mystery that they don't match the data from any place else. Here's a summary of three compromised password lists. My first tip-off was "srinivas", eye-catching because it's the name of a colleague, and it's staggeringly improbable as a top 500 password. Sure, it's a pretty common Indian name, but it's the only Indian name on the list, it doesn't occur on any other frequent password lists, and it's not a pop-culture reference with the kind of extraordinary popularity shown by the other entries. There's no way it should beat out "krishna" or "ganesh", popular Indian names with lots more American popularity than "srinivas". So it's more than a little suspicious to see it on these two list. Couple that with the rest of the overlaps, and there's no way Twitter made this list up.
Furthermore, if you look at uncensored password frequency data, you're awfully likely to find exclamation points (particularly on obscenities, which are extremely popular in passwords -- if you see a top 100 list with nothing obscene in it, become very, very suspicious, as they usually make into the top 10). This list has no punctuation, presumably due to filtering at some point. It was almost certainly intended to be used with case insensitivity and common substitutions (Twitter is not using it that way; "srinivas" may be too obvious, but my local Srinivas was quite chagrined to discover that "Srinivas" is A-OK in Twitter's eyes.) The top 500 list, and its Twitter descendent, do include obscenities, although much press coverage edits them out.
In any case, there's no such thing as the 500 worst passwords of all time. The passwords on any given list reflect the password rules of the site, the pop culture of the time (that all-time list was before the band Blink 182 became popular), the popular names and sports teams of the regions the users come from… There are a lot of commonalities from list to list (apparently "password", "letmein", and "123456" never get old), but there's a lot of turnover, as well. My mystic password predictor says "avatar" is on the hit list with a bullet these days.
Looking at lists of common passwords is a fun exercise in social psychology, but if you want to know something about password security, use the longest password you're allowed, and put more than one piece of punctuation, and more than one number, somewhere in the middle. This advice is not original; here's Bruce Schneier's version, with explanation. That will not only keep you off the top 500 lists, it will also go some ways towards actually keeping you secure. The odds are that using your last name will keep you off a short banned list (even if you have a staggeringly popular last name) but it won't do a thing to keep away the password crackers, who really do use information about your login and your real name to decide what to try. Avoiding this kind of list is to actually being secure as avoiding getting onto the freeway in the wrong direction is to being a good driver. It is a start, but it's hard to call it even a good start.
Tuesday, June 5, 2012
Sunday, May 13, 2012
Management Metaphors You Don't Need: The Pig and the Chicken
Do you know the difference between being committed and being involved? When you eat eggs and bacon, the chicken is involved, and the pig is committed!
I would like to note that my present management chain is not particularly fond of metaphors, and has never offered me this one, but it has come up before.
One advantage of this metaphor is that it allows you to say you want people to be pigs, which does briefly catch their interest. Or outrage them.
But what happens if you actually think about the implications? Well, the first interpretation I come up with is "It is not acceptable to merely be willing to sacrifice your children for the project; you have to be willing to die for it." That's icky. Even suggesting it's a good thing is icky. If you'd like a more professional phrasing than "icky", try "That's not a culture I want to work in."
But if you think about it for a bit longer, it doesn't get better, it gets worse. Ignoring the whole "first you die and then they eat you" thing, the chicken is not involved. The chicken and the egg-eater have a mutual interest in eggs, but different end goals; they are working at cross-purposes with an intersection point. The chicken wants eggs as a way to get more chickens, the egg-eater wants eggs for food.
As for the pig, the pig is not at all committed to bacon. The pig is opposed to bacon. The pig, if it could envision bacon, would surely take steps to prevent it. The pig is a purely unconscious participant in the breakfast, which does what gives it pleasure, unintentionally providing benefit to people who then eat it.
The commonality between the pig and the chicken is that they are both fools, being controlled by forces unknown to them and ultimately hostile to them. It is not in the best interests of my management chain to convince me to that I am in either of these positions.
You know who's involved in bacon and eggs? The waiter. And who's committed? Take your choice; the chef, the eater, the restaurant owner. As for chickens and pigs, their lack of active opposition to bacon and eggs indicates their lack of knowledge on the subject.
I would like to note that my present management chain is not particularly fond of metaphors, and has never offered me this one, but it has come up before.
One advantage of this metaphor is that it allows you to say you want people to be pigs, which does briefly catch their interest. Or outrage them.
But what happens if you actually think about the implications? Well, the first interpretation I come up with is "It is not acceptable to merely be willing to sacrifice your children for the project; you have to be willing to die for it." That's icky. Even suggesting it's a good thing is icky. If you'd like a more professional phrasing than "icky", try "That's not a culture I want to work in."
But if you think about it for a bit longer, it doesn't get better, it gets worse. Ignoring the whole "first you die and then they eat you" thing, the chicken is not involved. The chicken and the egg-eater have a mutual interest in eggs, but different end goals; they are working at cross-purposes with an intersection point. The chicken wants eggs as a way to get more chickens, the egg-eater wants eggs for food.
As for the pig, the pig is not at all committed to bacon. The pig is opposed to bacon. The pig, if it could envision bacon, would surely take steps to prevent it. The pig is a purely unconscious participant in the breakfast, which does what gives it pleasure, unintentionally providing benefit to people who then eat it.
The commonality between the pig and the chicken is that they are both fools, being controlled by forces unknown to them and ultimately hostile to them. It is not in the best interests of my management chain to convince me to that I am in either of these positions.
You know who's involved in bacon and eggs? The waiter. And who's committed? Take your choice; the chef, the eater, the restaurant owner. As for chickens and pigs, their lack of active opposition to bacon and eggs indicates their lack of knowledge on the subject.
Subscribe to:
Posts (Atom)